This started as a Zyxel VMG3625-T50B credential leak, but the affected scope later expanded across CPE, ONT, LTE, and 5G devices. A low-privileged router account could query Zyxel DAL endpoints and get back supervisor/admin account data, FTPS credentials, and TR-069 secrets in cleartext. I also dug into the password generation side: running Zyxel’s own genpass flow in QEMU, hooking the serial-number source with LD_PRELOAD, and tracing the Method2 / Method3 supervisor password logic. https://minanagehsalalma.github.io/zyxel-cve-2021-35036-super-admin-password-leak/ submitted by /u/TheReedemer69 [link] [comments]